SuSE 11.2 Security Update : MozillaFirefox (SAT Patch Number 7224)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 11 host is missing one or more security updates.

Description :

Mozilla Firefox was updated to the 10.0.12ESR release.

- Mozilla developers identified and fixed several memory
safety bugs in the browser engine used in Firefox and
other Mozilla-based products. Some of these bugs showed
evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code. (MFSA 2013-01)

- Christoph Diehl, Christian Holler, Mats Palmgren, and
Chiaki Ishikawa reported memory safety problems and
crashes that affect Firefox ESR 10, Firefox ESR 17, and
Firefox 17. (CVE-2013-0769)

- Bill Gianopoulos, Benoit Jacob, Christoph Diehl,
Christian Holler, Gary Kwong, Robert O'Callahan, and
Scoobidiver reported memory safety problems and crashes
that affect Firefox ESR 17 and Firefox 17.
(CVE-2013-0749)

- Jesse Ruderman, Christian Holler, Julian Seward, and
Scoobidiver reported memory safety problems and crashes
that affect Firefox 17. (CVE-2013-0770)

- Security researcher Abhishek Arya (Inferno) of the
Google Chrome Security Team discovered a series
critically rated of use-after-free, out of bounds read,
and buffer overflow issues using the Address Sanitizer
tool in shipped software. These issues are potentially
exploitable, allowing for remote code execution. We
would also like to thank Abhishek for reporting three
additional user-after-free and out of bounds read flaws
introduced during Firefox development that were fixed
before general release. (MFSA 2013-02)

The following issue was fixed in Firefox 18 :

- Global-buffer-overflow in
CharDistributionAnalysis::HandleOneChar. (CVE-2013-0760)

The following issues were fixed in Firefox 18, ESR 17.0.1, and ESR
10.0.12 :

- Heap-use-after-free in imgRequest::OnStopFrame.
(CVE-2013-0762)

- Heap-use-after-free in ~nsHTMLEditRules. (CVE-2013-0766)

- Out of bounds read in
nsSVGPathElement::GetPathLengthScale. (CVE-2013-0767)

The following issues were fixed in Firefox 18 and ESR 17.0.1 :

- Heap-use-after-free in
mozilla::TrackUnionStream::EndTrack. (CVE-2013-0761)

- Heap-use-after-free in Mesa, triggerable by resizing a
WebGL canvas. (CVE-2013-0763)

- Heap-buffer-overflow in
gfxTextRun::ShrinkToLigatureBoundaries. (CVE-2013-0771)

The following issue was fixed in Firefox 18 and in the earlier ESR
10.0.11 release :

- Heap-buffer-overflow in nsWindow::OnExposeEvent.
(CVE-2012-5829)

- Security researcher miaubiz used the Address Sanitizer
tool to discover a buffer overflow in Canvas when
specific bad height and width values were given through
HTML. This could lead to a potentially exploitable
crash. (CVE-2013-0768). (MFSA 2013-03)

Miaubiz also found a potentially exploitable crash when
2D and 3D content was mixed which was introduced during
Firefox development and fixed before general release.

- Security researcher Masato Kinugawa found a flaw in
which the displayed URL values within the addressbar can
be spoofed by a page during loading. This allows for
phishing attacks where a malicious page can spoof the
identify of another site. (CVE-2013-0759). (MFSA
2013-04)

- Using the Address Sanitizer tool, security researcher
Atte Kettunen from OUSPG discovered that the combination
of large numbers of columns and column groups in a table
could cause the array containing the columns during
rendering to overwrite itself. This can lead to a
user-after-free causing a potentially exploitable crash.
(CVE-2013-0744). (MFSA 2013-05)

- Mozilla developer Wesley Johnston reported that when
there are two or more iframes on the same HTML page, an
iframe is able to see the touch events and their targets
that occur within the other iframes on the page. If the
iframes are from the same origin, they can also access
the properties and methods of the targets of other
iframes but same-origin policy (SOP) restricts access
across domains. This allows for information leakage and
possibilities for cross-site scripting (XSS) if another
vulnerability can be used to get around SOP
restrictions. (CVE-2013-0751). (MFSA 2013-06)

- Mozilla community member Jerry Baker reported a crashing
issue found through Thunderbird when downloading
messages over a Secure Sockets Layer (SSL) connection.
This was caused by a bug in the networking code assuming
that secure connections were entirely handled on the
socket transport thread when they can occur on a variety
of threads. The resulting crash was potentially
exploitable. (CVE-2013-0764). (MFSA 2013-07)

- Mozilla developer Olli Pettay discovered that the
AutoWrapperChanger class fails to keep some JavaScript
objects alive during garbage collection. This can lead
to an exploitable crash allowing for arbitrary code
execution. (CVE-2013-0745). (MFSA 2013-08)

- Mozilla developer Boris Zbarsky reported reported a
problem where jsval-returning quickstubs fail to wrap
their return values, causing a compartment mismatch.
This mismatch can cause garbage collection to occur
incorrectly and lead to a potentially exploitable crash.
(CVE-2013-0746). (MFSA 2013-09)

- Mozilla security researcher Jesse Ruderman reported that
events in the plugin handler can be manipulated by web
content to bypass same-origin policy (SOP) restrictions.
This can allow for clickjacking on malicious web pages.
(CVE-2013-0747). (MFSA 2013-10)

- Mozilla security researcher Jesse Ruderman discovered
that using the toString function of XBL objects can lead
to inappropriate information leakage by revealing the
address space layout instead of just the ID of the
object. This layout information could potentially be
used to bypass ASLR and other security protections.
(CVE-2013-0748). (MFSA 2013-11)

- Security researcher pa_kt reported a flaw via
TippingPoint's Zero Day Initiative that an integer
overflow is possible when calculating the length for a
JavaScript string concatenation, which is then used for
memory allocation. This results in a buffer overflow,
leading to a potentially exploitable memory corruption.
(CVE-2013-0750). (MFSA 2013-12)

- Security researcher Sviatoslav Chagaev reported that
when using an XBL file containing multiple XML bindings
with SVG content, a memory corruption can occur. In
concern with remote XUL, this can lead to an exploitable
crash. (CVE-2013-0752). (MFSA 2013-13)

- Security researcher Mariusz Mlynski reported that it is
possible to change the prototype of an object and bypass
Chrome Object Wrappers (COW) to gain access to chrome
privileged functions. This could allow for arbitrary
code execution. (CVE-2013-0757). (MFSA 2013-14)

- Security researcher Mariusz Mlynski reported that it is
possible to open a chrome privileged web page through
plugin objects through interaction with SVG elements.
This could allow for arbitrary code execution.
(CVE-2013-0758). (MFSA 2013-15)

- Security researcher regenrecht reported, via
TippingPoint's Zero Day Initiative, a use-after-free in
XMLSerializer by the exposing of serializeToStream to
web content. This can lead to arbitrary code execution
when exploited. (CVE-2013-0753). (MFSA 2013-16)

- Security researcher regenrecht reported, via
TippingPoint's Zero Day Initiative, a use-after-free
within the ListenerManager when garbage collection is
forced after data in listener objects have been
allocated in some circumstances. This results in a
use-after-free which can lead to arbitrary code
execution. (CVE-2013-0754). (MFSA 2013-17)

- Security researcher regenrecht reported, via
TippingPoint's Zero Day Initiative, a use-after-free
using the domDoc pointer within Vibrate library. This
can lead to arbitrary code execution when exploited.
(CVE-2013-0755). (MFSA 2013-18)

- Security researcher regenrecht reported, via
TippingPoint's Zero Day Initiative, a garbage collection
flaw in JavaScript Proxy objects. This can lead to a
use-after-free leading to arbitrary code execution.
(CVE-2013-0756). (MFSA 2013-19)

- Google reported to Mozilla that TURKTRUST, a certificate
authority in Mozilla's root program, had mis-issued two
intermediate certificates to customers. The issue was
not specific to Firefox but there was evidence that one
of the certificates was used for man-in-the-middle
(MITM) traffic management of domain names that the
customer did not legitimately own or control. This issue
was resolved by revoking the trust for these specific
mis-issued certificates. (CVE-2013-0743). (MFSA 2013-20)

See also :

http://www.mozilla.org/security/announce/2013/mfsa2013-01.html
http://www.mozilla.org/security/announce/2013/mfsa2013-02.html
http://www.mozilla.org/security/announce/2013/mfsa2013-03.html
http://www.mozilla.org/security/announce/2013/mfsa2013-04.html
http://www.mozilla.org/security/announce/2013/mfsa2013-05.html
http://www.mozilla.org/security/announce/2013/mfsa2013-06.html
http://www.mozilla.org/security/announce/2013/mfsa2013-07.html
http://www.mozilla.org/security/announce/2013/mfsa2013-08.html
http://www.mozilla.org/security/announce/2013/mfsa2013-09.html
http://www.mozilla.org/security/announce/2013/mfsa2013-10.html
http://www.mozilla.org/security/announce/2013/mfsa2013-11.html
http://www.mozilla.org/security/announce/2013/mfsa2013-12.html
http://www.mozilla.org/security/announce/2013/mfsa2013-13.html
http://www.mozilla.org/security/announce/2013/mfsa2013-14.html
http://www.mozilla.org/security/announce/2013/mfsa2013-15.html
http://www.mozilla.org/security/announce/2013/mfsa2013-16.html
http://www.mozilla.org/security/announce/2013/mfsa2013-17.html
http://www.mozilla.org/security/announce/2013/mfsa2013-18.html
http://www.mozilla.org/security/announce/2013/mfsa2013-19.html
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
https://bugzilla.novell.com/show_bug.cgi?id=796895
http://support.novell.com/security/cve/CVE-2012-5829.html
http://support.novell.com/security/cve/CVE-2013-0743.html
http://support.novell.com/security/cve/CVE-2013-0744.html
http://support.novell.com/security/cve/CVE-2013-0745.html
http://support.novell.com/security/cve/CVE-2013-0746.html
http://support.novell.com/security/cve/CVE-2013-0747.html
http://support.novell.com/security/cve/CVE-2013-0748.html
http://support.novell.com/security/cve/CVE-2013-0749.html
http://support.novell.com/security/cve/CVE-2013-0750.html
http://support.novell.com/security/cve/CVE-2013-0751.html
http://support.novell.com/security/cve/CVE-2013-0752.html
http://support.novell.com/security/cve/CVE-2013-0753.html
http://support.novell.com/security/cve/CVE-2013-0754.html
http://support.novell.com/security/cve/CVE-2013-0755.html
http://support.novell.com/security/cve/CVE-2013-0756.html
http://support.novell.com/security/cve/CVE-2013-0757.html
http://support.novell.com/security/cve/CVE-2013-0758.html
http://support.novell.com/security/cve/CVE-2013-0759.html
http://support.novell.com/security/cve/CVE-2013-0760.html
http://support.novell.com/security/cve/CVE-2013-0761.html
http://support.novell.com/security/cve/CVE-2013-0762.html
http://support.novell.com/security/cve/CVE-2013-0763.html
http://support.novell.com/security/cve/CVE-2013-0764.html
http://support.novell.com/security/cve/CVE-2013-0766.html
http://support.novell.com/security/cve/CVE-2013-0767.html
http://support.novell.com/security/cve/CVE-2013-0768.html
http://support.novell.com/security/cve/CVE-2013-0769.html
http://support.novell.com/security/cve/CVE-2013-0770.html
http://support.novell.com/security/cve/CVE-2013-0771.html

Solution :

Apply SAT patch number 7224.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true